CHA News Article

OCR Releases HITECH Audit Protocol

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), posted on its website yesterday the protocol used to conduct the audits required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The OCR audit program analyzes key processes, controls and policies of selected covered entities, including hospitals.

The audit protocol covers:

  1. Privacy rule requirements for 1) notice of privacy practices for protected health information (PHI); 2) rights to request privacy protection for PHI; 3) access of individuals to PHI; 4) administrative requirements; 5) uses and disclosures of PHI; 6) amendment of PHI; and 7) accounting of disclosures.
  2. Security rule requirements for administrative, physical and technical safeguards.
  3. Requirements for the Breach Notification Rule.

To access the audit protocol, go to